Blob Blame History Raw
## <summary>IRC client policy</summary>

#######################################
## <summary>
##	The per role template for the irc module.
## </summary>
## <desc>
##	<p>
##	This template creates a derived domains which are used
##	for an irc client sessions.
##	</p>
##	<p>
##	This template is invoked automatically for each user, and
##	generally does not need to be invoked directly
##	by policy writers.
##	</p>
## </desc>
## <param name="userdomain_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The type of the user domain.
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The role associated with the user domain.
##	</summary>
## </param>
#
template(`irc_per_role_template',`
	gen_require(`
		type irc_exec_t;
	')

	########################################
	#
	# Declarations
	#

	type $1_irc_t;
	application_domain($1_irc_t, irc_exec_t)
	role $3 types $1_irc_t;

	type $1_irc_exec_t;
	userdom_user_home_content($1, $1_irc_exec_t)
	application_domain($1_irc_t, $1_irc_exec_t)

	type $1_irc_home_t;
	userdom_user_home_content($1, $1_irc_home_t)

	type $1_irc_tmp_t;
	userdom_user_home_content($1, $1_irc_tmp_t)

	########################################
	#
	# Local policy
	#

	allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
	allow $1_irc_t self:tcp_socket create_socket_perms;
	allow $1_irc_t self:udp_socket create_socket_perms;

	manage_dirs_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
	manage_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
	manage_lnk_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
	userdom_user_home_dir_filetrans($1, $1_irc_t, $1_irc_home_t,{ dir file lnk_file })

	# access files under /tmp
	manage_dirs_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
	manage_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
	manage_lnk_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
	manage_fifo_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
	manage_sock_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
	files_tmp_filetrans($1_irc_t, $1_irc_tmp_t, { file dir lnk_file sock_file fifo_file })

	# Transition from the user domain to the derived domain.
	domtrans_pattern($2, irc_exec_t, $1_irc_t)

	allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };

	# allow ps to show irc
	ps_process_pattern($2, $1_irc_t)
	allow $2 $1_irc_t:process signal;

	kernel_read_proc_symlinks($1_irc_t)

	corenet_all_recvfrom_unlabeled($1_irc_t)
	corenet_all_recvfrom_netlabel($1_irc_t)
	corenet_tcp_sendrecv_generic_if($1_irc_t)
	corenet_udp_sendrecv_generic_if($1_irc_t)
	corenet_tcp_sendrecv_all_nodes($1_irc_t)
	corenet_udp_sendrecv_all_nodes($1_irc_t)
	corenet_tcp_sendrecv_all_ports($1_irc_t)
	corenet_udp_sendrecv_all_ports($1_irc_t)
	corenet_sendrecv_ircd_client_packets($1_irc_t)
	# cjp: this seems excessive:
	corenet_tcp_connect_all_ports($1_irc_t)
	corenet_sendrecv_all_client_packets($1_irc_t)

	domain_use_interactive_fds($1_irc_t)

	files_dontaudit_search_pids($1_irc_t)
	files_search_var($1_irc_t)
	files_read_etc_files($1_irc_t)
	files_read_usr_files($1_irc_t)

	fs_getattr_xattr_fs($1_irc_t)
	fs_search_auto_mountpoints($1_irc_t)

	term_use_controlling_term($1_irc_t)
	term_list_ptys($1_irc_t)

	# allow utmp access
	init_read_utmp($1_irc_t)
	init_dontaudit_lock_utmp($1_irc_t)

	miscfiles_read_localization($1_irc_t)

	# Inherit and use descriptors from newrole.
	seutil_use_newrole_fds($1_irc_t)

	sysnet_read_config($1_irc_t)

	# Write to the user domain tty.
	userdom_use_user_terminals($1, $1_irc_t)

	tunable_policy(`use_nfs_home_dirs',`
		fs_manage_nfs_dirs($1_irc_t)
		fs_manage_nfs_files($1_irc_t)
		fs_manage_nfs_symlinks($1_irc_t)
	')

	tunable_policy(`use_samba_home_dirs',`
		fs_manage_cifs_dirs($1_irc_t)
		fs_manage_cifs_files($1_irc_t)
		fs_manage_cifs_symlinks($1_irc_t)
	')

	optional_policy(`
		nis_use_ypbind($1_irc_t)
	')
')